apparmor doesn't allow to start with a non-root user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Debian) |
New
|
Unknown
|
|||
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
I'm using 19.04 (Disco Dingo), kernel: 5.0.0-13-generic amd64
packages:
ii libcharon-
ii libstrongswan 5.7.1-1ubuntu2
ii libstrongswan-
ii strongswan 5.7.1-1ubuntu2
ii strongswan-charon 5.7.1-1ubuntu2
ii strongswan-
ii strongswan-starter 5.7.1-1ubuntu2
/etc/strongswan
strongswan error:
Apr 24 15:47:23 ubuntu-1904-2 ipsec[1422]: 00[LIB] dropping capabilities failed: Operation not permitted
Apr 24 15:47:23 ubuntu-1904-2 ipsec[1422]: 00[DMN] capability dropping failed - aborting charon
strongswan logs - https:/
strace charon - https:/
capset(
I enabled the complain mode, but aa-logprof found nothing. With user=root in strongswan.conf it starts perfectly. Also, I downgraded to strongswan-5.3 and everything works well with the same apparmor profile.
Any ideas?
Related branches
- Andreas Hasenack: Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 2385 lines (+1804/-85)17 files modifieddebian/changelog (+1412/-0)
debian/control (+107/-11)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+109/-6)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+54/-0)
debian/libstrongswan.install (+5/-0)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+48/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/usr.lib.ipsec.charon (+12/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
debian/usr.sbin.charon-systemd (+11/-1)
debian/usr.sbin.swanctl (+7/-1)
description: | updated |
Changed in strongswan (Debian): | |
status: | Unknown → New |
CAP_SETPCAP should be allowed in the profile